Skip to main content

Secure nginx with Let's Encrypt on Ubuntu 18.04

Nginx Ingress with Cert-Manager Kubernetes


We will use Helm to install Cert Manager to our Cluster. Cert-Manager is a Kubernetes native certificate manager. One of the most significant features that Cert-Manager provides is its ability to automatically provision TLS certificates. Based on the annotations in a Kubernetes ingress resource, the cert-manager will talk to Let’s Encrypt and acquire a certificate on your service’s behalf.
Note : Ensure that you are using Helm v2.12.1 or later.
Prerequisites :
  • A Kubernetes cluster version 1.8+
  • The kubectl CLI installed and configured
  • Helm and Tiller should be installed.

1. Connect the cluster :

 gcloud container clusters get-credentials yourclustername --zone zonename --project projectname

2. Create a namespace cert-manager.

Before installing cert-manager. We will create a namespace for the cert-manager. 

kubectl create namespace cert-manager


3. Install Cert-manager

Now, Install the cert-manager and CRDS. it will install the issuer and cluster issuer also.
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.12.0/cert-manager.yaml
You should get the below output.
clusterrole.rbac.authorization.k8s.io/cert-manager-view configured
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
clusterrole.rbac.authorization.k8s.io/cert-manager-edit configured
service/cert-manager created
service/cert-manager-webhook created
deployment.apps/cert-manager-cainjector created
deployment.apps/cert-manager created
deployment.apps/cert-manager-webhook created
mutatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook created
Warning: kubectl apply should be used on resource created by either kubectl create --save-config or kubectl apply
validatingwebhookconfiguration.admissionregistration.k8s.io/cert-manager-webhook configured

Verify the installation by the below command.
kubectl get pods --namespace cert-manager
NAME                                       READY   STATUS    RESTARTS   AGE
cert-manager-cainjector-58f48c4cb9-2q8wp   1/1     Running   0          1m
cert-manager-cb5f48858-zpzh2               1/1     Running   0          1m
cert-manager-webhook-74d98fdc7b-nbv8x      1/1     Running   0          1m
Now we have Successfully installed cert-manager in the cluster.  Now we will create a certificate issuer to obtain an x509 certificate for our website.

4. Create Let'sencrypt issuer

Now let's create issuer file to issue TLS certificates to the domains. You can create staging issuer to test, But we will directly create production issuer.
apiVersion: cert-manager.io/v1alpha2
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    # The ACME server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    # Email address used for ACME registration
    email: vishal@vishalvyas.com
    # Name of a secret used to store the ACME account private key
    privateKeySecretRef:
      name: letsencrypt-prod
    # Enable the HTTP-01 challenge provider
    solvers:
    - http01:
        ingress:
          class: nginx
email = your email id.
We then specify an email address to register the certificate and create a Kubernetes Secret called letsencrypt-prod to store the ACME account's private key. We also enable the HTTP-01 challenge mechanism.

5. Apply the issuer file :

kubectl apply -f prod_issuer.yaml

6. Make the following changes in the ingress file :

Apply these changes in your Nginx ingress file.

Add Below annotation to the ingress file.
cert-manager.io/cluster-issuer: "letsencrypt-prod"

Add Your host which you need to run on https. and give the secret name to letsencrypt-prod.
spec:
  tls:
  - hosts:
    - vishalvyas.com
    - imvishalvyas.com
    secretName: letsencrypt-prod
We will now perform a test using curl to verify that HTTPS is working correctly.
curl https://vishalvyas.com
We have successfully configured HTTPS using a Let's Encrypt certificate for our Nginx Ingress.


Comments

Popular posts from this blog

Another instance of Certbot is already running - Solved - Linux guru

Error : Another instance of Certbot is already runningcertbot --server https://acme-v02.api.letsencrypt.org/directory --manual --preferred-challenges dns --installer nginx -d *.vishalvyas.com Another instance of Certbot is already running Reason : when you run certbot form your machine and unexpectedly stop the command, Then cert bot is not running but it left some .certbot.lock files behind.You need to kill the certbot instance form your machine. Solution : Run the below command to find killed certbot.find / -type f -name ".certbot.lock" You can see result of the command, If there are, you can remove them. Run below command to remove them.find / -type f -name ".certbot.lock" -exec rm {} \; And try again.

Install Apache Using Ansible Playbooks

Ansible is a automation tool which is widely used, you can install and install, configure and manage number of system and services remotely. you can install software and manage services and tasks without needing manually log in to each servers. you have to install ansible in one machine and use ssh to communicate host each other.



Ansible uses Playbooks which is written in YAML format. it's uses module base format. with playbook can run multiple tasks at time and provide more advance functionality, YAML file always start with "---" syntax. In this article we will see how to install and configure apahce2 using ansible YAML script. Master server : 10.80.253.11 [Ansible server, ] Slave 1 : 10.80.253.12 [need to install apache2 in slave 1] Slave 2 : 10.80.253.13 [need to install apache2 in slave 2] We need to configure slave server info in our ansible configuration file, click here to know how to add client machine to ansible. Let's update our apache2.yml file and install…

Create aws s3 bucket using cli

In this article i will explain you to how to manage s3 bucket and objects using AWS cli command line interface. for that you will have to configure AWS cli interface to your local linux machine. You can configure cli from. HERE.




After configured aws cli to your local machine, you can run all below commands. How to create bucket using AWS Cli.root@master:~# aws s3 mb s3://linuxgurubucket make_bucket: linuxgurubucket Listing Bucket : To list all bucket : root@master:~# aws s3 ls 2018-05-01 15:28:37 linuxgurubucket To list all objects from bucket :root@master:~# aws s3 ls s3://linuxgurubucket 2018-05-01 15:32:16 71515 vishal.jpg How to copy local file to s3 using aws cp command :root@master:~# aws s3 cp ansible.sh s3://linuxgurubucket/ upload: ./ansible.sh to s3://linuxgurubucket/ansible.sh To check it's upload or not :root@master:~# aws s3 ls s3://linuxgurubucket/ 2018-05-01 15:34:19 82 ansible.sh 2018-05-01 15:32:16 71515 vishal.jpg To remove file from s3 bucket using cli: